Hi, Most of this was done in Samba 4.8, but we still build with Heimdal in Debian.
There are two reasons: - missing features [1] - fear to break things (especially on upgrade) I hope that the feature gap will decrease in 4.9 and later, but we probably won't migrate before buster+1 (i.e next-next stable) Regards -- Mathieu Parent [1]: Samba DCs with MIT Kerberos KDC currently do not support: - PKINIT support required for using smart cards - Service for User to Self-service (S4U2self) - Service for User to Proxy (S4U2proxy) - Running as a Read only domain controller (RODC) (https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC)